More than 8 in 10 American CEOs say they plan to spend more on cybersecurity next year, even though nearly 9 in 10 say they need a better way to measure the effectiveness of what they’re already spending.
The data come from a new survey of 200 U.S. CEOs released Tuesday by RedSeal, the cybersecurity analytics firm.
Eighty-seven percent agreed or strongly agreed that they need a better way to measure the effectiveness of their cybersecurity spending, but 84 percent plan to increase it over the coming year anyway. The findings are consistent with a cybersecurity market that continues to grow — and will reach $101.6 billion in 2020, according to IDC — despite the absence of broadly accepted metrics for measuring the effectiveness of a given product, service or strategy.
Large majorities also agreed with the statements “I’m spending money on network security tools and have no way to measure their effectiveness” (82 percent) and “The cybersecurity reports I see are very difficult to understand” (79 percent).
The RedSeal survey also shows that CEOs tend to be operating with outdated notions about how to protect their data and brimming with confidence about the cybersecurity of their companies.
Half of the respondents still prioritize keeping hackers out of the company network — even though the mantra “assume compromise,” is now part of the conventional wisdom of cybersecurity. Only 24 percent wanted to get tools to deal with hackers who have already breached their network’s perimeter defenses — nowadays considered one of the baseline capabilities any cybersecurity strategy should aim at.
At the same time, more than 80 percent are “very confident” in their company’s cybersecurity strategies. Confidence was higher among longer serving CEOs and among those who headed larger companies.
Nearly 8 in 10 of the CEOs surveyed strongly agreed that “cybersecurity is a strategic function that starts with executive leadership” as opposed to being a responsibility delegated to IT executives. Nonetheless, 89 percent say they rely on their IT team to make the budget decisions on cybersecurity.
Part of the problem appears to be that CEOs aren’t getting the information they say they need, despite the fact that more than half (56 percent) say they speak daily to their chief information security officer.
Eighty-nine percent say they want information — on a daily basis — about the company’s cybersecurity posture and its network’s overall health.
Even those who are getting the information they say they want report challenges:
The study was conducted online by data collection firm 72 Point in September. Two hundred CEOs in the U.S. were randomly sampled, at organizations with 250-plus employees. Forty-two percent of respondents were CEOs of companies with more than 1,000 employees.